|
851
|
6.8 |
MEDIUM
Local
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content direc…
New
|
CWE-93
CRLF Injection
|
CVE-2026-42586
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
852
|
7.5 |
HIGH
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer …
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-42587
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
853
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
New
|
CWE-284
Improper Access Control
|
CVE-2026-28374
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
854
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete ser…
New
|
-
|
CVE-2026-28379
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
855
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Any Editor could delete any snapshot, even if they have no access to read or write them.
New
|
CWE-862
Missing Authorization
|
CVE-2026-28380
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
856
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-me…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-28383
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
857
|
7.4 |
HIGH
Network
|
-
|
-
|
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128…
New
|
CWE-1188
Insecure Default Initialization of Resource
|
CVE-2026-33376
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
858
|
7.1 |
HIGH
Network
|
-
|
-
|
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
New
|
-
|
CVE-2026-33377
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
859
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the …
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-33378
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
860
|
6.3 |
MEDIUM
Network
|
-
|
-
|
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vul…
New
|
CWE-552
Files or Directories Accessible to External Parties
|
CVE-2026-33380
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
